Extreme Networks

Jeremy_Gibbs · ‎10-09-2015

We have a few people that get an error saying "The identity of the authentication server could not be established" when trying to connect to an 802.1x network (Extreme IdentiFi running 9.21.003.0010) on 3825i. NAC reports this for the user:

TLS Alert read⚠️close notify TLS_accept: failed in SSLv3 read client certificate A error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

Any ideas? It's not everyone, just a small subset of people.

Matthew_Hum1 · ‎12-03-2015

I know it's "solved" but i wanted to give an explanation in the event someone else sees this. The error indicates that the Client did not accept the server certificate for some reason. it could be that the certificate expired, or that it failed verification. If this is not a public cert, and a self-signed or signed by an internal CA, and since it only affects some clients my money is on that the clients are trying to verify the cert and it is failing verification and therefore rejecting the certificate before any authentication can occur. I can only think of 3 ways to handle this: 1. disable certificate verification on the end system. this is not really recommended as you are opening that system up to MITM attacks, but can be done. this is really an issue if that end system connects to other outside networks. 2. put a certificate signed by a trusted CA on the authenticating server. 3. add the CA that signed the certificate as a trusted CA in the end system.

Jeremy_Gibbs · ‎12-02-2015

Haven't heard from the client in a while, I think they are okay (just told them to use the non 802.1x network)

Drew_C · ‎12-02-2015

Thanks Jeremy. I'm going to go ahead and mark this as "Solved."

Drew_C · ‎12-02-2015

Hi Jeremy,
I'm going through some older threads here and wanted to ask if you still need assistance with this?

Extreme Networks

Mac OS X and 802.1X authentication

Mac OS X and 802.1X authentication